Data Security Procedures, Security Breach Response

Procedure Section: 
Information Technology Services
Effective: 
Monday, October 26, 2015
Last Revised: 
Tuesday, April 26, 2016
Procedure: 

SECURITY BREACH RESPONSE

Per the Data Security Procedures, Roles and Responsibilities, Users and Data Security Officers must report any known Security Breach or any incident that is likely to cause a Security Breach. These incidents include thefts of computer devises, viruses, worms, or computer “attacks” that may lead to unauthorized access to confidential information.

Immediately upon becoming aware of a likely Security Breach, the Chief Information Security Officer shall notify the Washington State Office of the Chief Information Officer (OCIO). ITS Security and the College’s Risk Manager shall conduct an investigation.

The OCIO shall determine what, if any, actions the College is required to take to comply with applicable law, including whether any notification is required under the law.

The Chief Information Security Officer shall work with the College's Risk Manager and other administrators as appropriate to ensure that any notifications and other legally required responses are made in a timely manner.

If the event involves a criminal matter, the SPSCC Security Department shall be notified and shall coordinate its response with the OCIO and the College's Risk Manager.

ITS Security and the College’s Risk Manager shall investigate and review the incident with the department(s) directly affected by the incident, and the appropriate Data Security Officer(s).

The College’s Chief Information Security Officer shall prepare a formal report that will be distributed to the Data Security Committee and appropriate department members immediately after finalization of the investigation.

Quarterly, or as necessary, the College’s Chief Information Security Officer and the Risk Manager will present a summary of data security investigations and/or relevant data security updates to the Data Security Committee, who shall conduct a post-incident review of events and determine, what, if any changes should be made to College practices or policies to help prevent similar incidents.

The Committee shall document the College’s actions in response to a Security Breach and its post-incident review in the minutes of the meeting in which the breach is discussed.

ENFORCEMENT SANCTIONS

The College reserves the right to monitor network traffic, perform random audits, and to take other steps to insure the integrity of its information and compliance with this policy.  Requests for audits of employee or student computers based on specific concerns may be initiated by any college employee to the Human Resources Department, who may initiate a review by IT Services.

Violations of this policy may lead to appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks. Willful or repeated violations of this policy may result in dismissal from the College.

Definitions: 
Information Resource. An Information Resource is a discrete body of information created, collected and stored in connection with the operation and management of the College and used by members of the College having authorized access as a primary source. Information Resources include electronic databases as well as physical files. Information derived from an Information Resource by authorized users is not an Information Resource, although such information shall be subject to this policy.
Personally Identifiable Information   Personally identifiable information (PII), or Sensitive Personal Information (SPI)  is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
 Sponsors Sponsors are those members of the College community that have primary responsibility for maintaining any particular Information Resource. Vice Presidents and Deans may designate sponsors in connection with their administrative responsibilities (as in the case of the College Registrar with respect to student academic records), or by the actual sponsorship, collection, development, or storage of information (as in the case of individual faculty members with respect to their own research data, or student grades).
 Data Security Officers Data Security Officers are those members of the College community, designated by their College Vice President or Dean, who provide administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific Information Resources in consultation with the relevant Sponsors.
Users Users include virtually all members of the SPSCC community to the extent they have authorized access to College Information Resources, and may include students, faculty, staff, contractors, consultants and temporary employees and volunteers.
Data Security Committee The Data Security Committee shall be chaired by the Chief Information Officer and shall include all of the Vice Presidents and Chiefs, or their representatives
 Computer System Security Requirements Computer System Security Requirements shall mean a written set of technical standards and related procedures and protocols designed to protect against risks to the security and integrity of data that is processed, stored, transmitted, or disposed of through the use of College information systems, and shall include computer system security requirements that meet or exceed the requirements of regulations ????? GET RCW’s, etc. The Computer System Security Requirements establish minimum standards and may not reflect all the technical standards and protocols in effect at the College at any given time.
 Data Security Directives Data Security Directives shall be issued from time to time by the Data Security Committee to provide clarification of this policy, or to supplement this policy through more detailed procedures or specifications, or through action plans or timetables to aid in the implementation of specific security measures. All Data Security Directives issued by the Committee shall be deemed incorporated herein.
 Specific Security Procedures Specific Security Procedures are procedures promulgated by a College Vice President or Dean to address particular security needs of specific Information Resources sponsored within their area of responsibility, not otherwise addressed by this policy, or any Data Security Directives.
 Security Breach A Security Breach is any event that causes or is likely to cause Confidential Information to be accessed or used by an unauthorized person and shall include any incident in which the College is required to make a notification under applicable law, including ????? GET RCW’s, etc.
Procedure Code: 
PRITSV4701